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Abstract 

We first show a deterministic algorithm for taking r-th roots over ¥ q 
without being given any r-th nonresidue, where ¥ q is a finite field with 
q elements and r is a small prime such that r 2 divides of q— 1. As appli- 
cations, we illustrate deterministic algorithms over ¥ q for constructing 
r-th nonresidues, constructing primitive elements, solving polynomial 
equations and computing elliptic curve "n-th roots" , and a determin- 
istic primality test for the generalized Proth numbers. All algorithms 
are proved without assuming any unproven hypothesis. They are effi- 
cient only if all the factors of q — 1 are small and some primitive roots 
of unity can be constructed efficiently over ¥ q . In some cases, they are 
the fastest among the known deterministic algorithms. 

1 Introduction 

Let F q be a finite field with q elements and r be a prime. Similar to the rela- 
tionship between taking square roots and constructing quadratic nonresidues 
over F q , taking r-th roots over F q , for r a divisor of q — 1, is polynomial-time 
equivalent to constructing r-th nonresidues over F q . Clearly, if r-th roots 
can be computed efficiently, an r-th nonresidue can be constructed by taking 
r-th roots repeatedly on a non-zero, non-identity element. For the converse, 
Tonelli-Shanks square root algorithm [214 H~8] can be generalized to take r-th 
root, provided that an r-th nonresidue is given as an input. 

Without an r-th nonresidue as an input, there is no known uncondition- 
ally deterministic polynomial-time r-th root algorithms over finite fields in 
general except for some easy cases such as 

(r, q — l) = 1 or r || q — 1; 
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see [3j. Under the assumption of the extended Riemann hypothesis, Buch- 
mann and Shoup showed a deterministic polynomial-time algorithm for con- 
structing k-th power nonresidues over finite fields [6]. 

For taking square roots over ¥ q , if a quadratic nonresidue is given, we may 
use deterministic polynomial-time square root algorithms such as Tonelli- 
Shanks [STJ [18], Adleman-Manders-Miller [1] and Cipolla-Lehmer Hi] . 
Without quadratic nonresidues, we have Schoof's square root algorithm 
over prime fields [17], and our square root algorithm over any finite field 
[20j . Note that these two algorithms run in polynomial-time only in some 
cases. Obviously, taking square roots and solving quadratic equations are 
polynomial-time equivalent. 

A general problem is solving polynomial equations over F„, which is a 
generalization of the following problems, 

• taking r-th roots, 

• constructing primitive r-th roots of unity, 

• constructing r-th nonresidues, 

• constructing primitive elements (generators of F * ) , 

where r is a prime divisor of q — 1. It is clear that a primitive r-th root of 
unity can be computed efficiently from any r-th nonresidue. By definition, 
a primitive element is also an r-th nonresidue. 

A more general problem is polynomial factoring over ¥ q . Although 
there is a deterministic polynomial-time algorithm, the celebrated Lenstra- 
Lenstra-Lovasz algorithm, for factoring polynomials over rational numbers 
|15j . there are no known unconditionally finite field counterparts in general. 
For deterministic polynomial factoring over finite fields, we have Berlekamp's 
algorithm, which is efficient only for q small [3]. For q large, there are prob- 
abilistic algorithms such as the probabilistic version of Berlekamp's algo- 
rithm [5], Cantor and Zassenhaus [7], von zur Gathen and Shoup [24], and 
Kaltofen and Shoup [12]. Under some generalizations of Riemann hypoth- 
esis, there is a subexponential-time algorithm by Evdokimov for any finite 
field [9], and there are deterministic polynomial-time algorithms for some 
special cases. For a survey, see [23] . 

The problem of solving polynomial equations is to find solutions of 

fix) = 

over W q , where f(x) E ¥ g [x] is a polynomial. Without loss of generality, 
we may assume / is a product of distinct linear factors because squarefree 
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factorization and distinct degree factorization can be computed efficiently; 
see [HI [231 [27] • If / nas a multiple root, then 



(/. f) 



(1.1) 



is a non-trivial factor of /, where /' denotes the derivative of /. Since x q — x 
is the product of all monic linear polynomials in ¥ q [x] , the non-linear factors 
can be removed by computing 



Let E(¥ q ) be an elliptic curve defined over ¥ q . An analogy of taking 
r-th roots over ¥ q is taking "n-th root" over E(¥ q ). Consider the following: 
given a point Q S E(¥ q ) and a positive integer n, 

(El) decide whether 



for some oo / P G E(¥ q ); 
(E2) find P if such P exists. 

Note that, when Q = oo, the trivial solution P = oo is excluded. Although 
usually the elliptic curve group operation is written additively, the nature 
of the problems above is closer to finite field n-th root than finite field 
multiplicative inverse. 

In this paper, the main results are presented in $2j We extend the 
ideas in |20j to design a deterministic r-th root algorithm in §0 Then, we 
demonstrate applications on primality testing, solving polynomial equations 
and taking elliptic curve "n-th roots" in $H $5] and $6j respectively. 

2 Main Results 

The main results are summarized by the theorems at the end of the section. 
All theorems can be proved without assuming any unproven hypothesis. 

All running times are given in term of bit operations. We ignore loga- 
rithmic factors in running time and adopt the 0( ■ ) notation. Polynomial 
multiplication, division with remainder, greatest common divisor over ¥ q 
can be computed using fast Fourier transforms and other fast methods in 



(f(x), x q - x). 



(1.2) 



Q = nP 



(1.3) 



0{d\ogq) 
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bit operations for degree d polynomials. See [13J and [22J. 
Let 

q = r^.-T^t + l (2.1) 

where r\, . . . , r m are distinct primes and ei, . . . , e m , t > 1 such that (ri • • ■ r m , t) 
1. Define sets of prime powers as follow. 

Definition 2.1. Let Qt be a set of prime powers. For all q E Qt, q can be 

written as the form in equation h2. 1\) such that 



T\ H V r m + t = 0(poly(log q)) 

and, for 1 < j < m, a primitive zj-th root of unity Q Zj G ¥ q can be computed 
in polynomial-time, where 



def 




(2.2) 



Informally, for q G Qt, t and all the prime factors of q — 1 are small and 
a primitive Zj-th root of unity over ¥ q can be computed efficiently for any 
prime factor rj of (q — l)/t. Note that the factorization of q — 1 can be 
computed efficiently in this case. Denote the union of Qt for t > 1 by 



— def 

t>l 

The main results are summarized below. 



Q = \jQt- (2.3) 



Theorem 2.2. Let q £ Q. For r £ {?!,..., r m }, i/iere is a determinis- 
tic polynomial-time algorithm computing an r-th root of any r-th residue 
over ¥„■ Equivalently, there is a deterministic polynomial-time algorithm 
constructing an r-th nonresidue over¥ q . 

Theorem 2.3. Let q G Q\. There is a deterministic polynomial-time algo- 
rithm constructing a primitive element over¥ q . 

Definition 2.4. A generalized Proth number is a positive integer of the form 

N = r e t + l (2.4) 
for prime r, positive integers e and t such that r e > t. 
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Theorem 2.5. Let N be a generalized Proth number. There is a determin- 
istic algorithm, which runs in 

0((r(r + t) + log N)r log 2 N) 

bit operations for deciding the primality of N . Further, if r is a small con- 
stant and t = 0(logN), the running time is 

0(log 3 iV) 

bit operations. 

Theorem 2.6. Let q G Q\. There is a deterministic 

0(poly(dlog q)) 

algorithm to solve polynomial equation f(x) = over F q for any degree d 
polynomial f(x) G F g [sc]. 

Theorem 2.7. Let q G Q\. There is a deterministic polynomial-time algo- 
rithm computing elliptic curve "n-th roots" overF q for any positive integer 
n = 0(poly(logg)). 

3 Taking r-th Roots 

Let F q be a finite field with q elements. Suppose 

= ct G F q (3.1) 

for some a G F q and some integer r > 1. The problem of taking r-th roots 
over F g is to find a, given a finite field F q , an element /3 and an integer r. If 
r does not divide q — 1, the problem is easy. If r is a composite number, we 
may first compute 7, an n-th root of (3 for n a prime factor of r, and then 
compute an (r/n)-th root of 7 to obtain a. Therefore, assume that r is a 
prime divisor of q — 1. 

The problem of taking r-th roots is reduced to finding a non-trivial 
factor of x r — (5 over F q . We label the following input items and then show 
Algorithm 13.11 below. 

(F): F q , which is a finite field with q elements. 
(R): r, which is a prime divisor of q — 1. 
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(B): (3, which is an r-th residue in ¥ q . 

Algorithm 3.1 (Compute an r-th root of (3). The inputs are the ones 
specified in (F), (R) and (B); and f{x), where f(x) € ¥ q [x] is a monic 
non-trivial factor of x r — (3. This algorithm returns an r-th root of (3. 

1. Let n = deg / and cq 6 ¥ q be the constant term of f(x), 

2. Find integers u, v by the Euclidean algorithm such that un + vr = 1. 

3. Return (-l) nu c$/3 v . 

Lemma 3.2. Algorithm ic. 1\ is correct. 
Proof. Let p be a primitive r-th root of unity in ¥ q . Since 

r-l 

x r -(3 = Y[(x-f^a), 

j=0 

we have cq = (—l) n p k a n for some integer k. We also have (n, r) = 1 because 
< n < r and r is a prime. There exist integers u, v such that un + vr = 1. 
Finally, 

{-l) nu c^ v = p ku a, 
is an r-th root of (3. The lemma follows. □ 

3.1 Find a Non-trivial Factor of x r — (3 

We extend the square root algorithm in [20] to show a deterministic algo- 
rithm, Algorithm 13.31 for finding a non-trivial factor of x r — (3. Unlike other 
algorithms, such as the generalized Shanks's algorithm, Algorithm 13.31 does 
not require any r-th nonresidue as an input and the associated proofs do 
not assume any unproven hypothesis. Similar to [20] . Algorithm I3.3l requires 
finding primitive roots of unity. It is obvious that finding an N-th primitive 
root of unity is not harder than finding an N-th nonresidue because, given 
an A-th nonresidue, an A-th primitive root of unity can be easily computed. 
Below are some known cases that primitive roots of unity can be computed 
efficiently; see [20] for more details. Let p be the characteristic of ¥ q . Denote 
a fixed primitive A:-th root of unity in ¥ q by Ck- 

(i) (2 or £3 when p = 1 (mod 12). 

(ii) C2-3 n +i f° r n > 1 when 2 • 3 n + 1 is a prime and p = 13, 25 (mod 36). 
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(iii) £ r when q = r e t + 1 with t small. 

The arithmetic of the square root algorithm in [20] is carried out over 
a specially constructed group, G a , which is isomorphic to F* and a degen- 
erated elliptic curve. Taking square root is obviously equivalent to finding 
a non-trivial factor of x 2 — (3. It is possible to formulate the algorithm in 
|2U| so that the arithmetic is carried out over the ring F 9 [x]/(x 2 — j3) for 
factoring the polynomial x 2 — {3. We generalize this idea and work on the 
ring ¥ q [x]/(x r — (3) in Algorithm 13.31 When r = 2, Algorithm 13.31 and the 
algorithm in |20| are essentially the same. 

The "problem" of working on the ring F q [x]/(x r — /3) is that there are 
zero divisors. However, if we have a zero divisor f(x), then 

(/(x), x r -/3) 

is a non-trivial factor of x r — f3. This idea is similar to Lenstra's elliptic 
curve integer factoring algorithm |10j . He works on the ring Z/nZ for some 
composite integer n, try to find a zero divisor z in Z/nZ and then (z,n) is 
a non-trivial factor of n. 

If q — 1 is not divisible by r 2 , it is easy to compute a. Thus, assume 

r 2 \(q-l). (3.2) 

As in equation (|2.ip . write 

q-l = r e l 1 ■■■ r^t. 

Without loss of generality, assume r\ = r. Note that e\ > 2 by assump- 
tion (|3.2p . Once the r,-'s are fixed, the partial factorization of q — 1 can be 
computed easily. Algorithm 13.31 applies to any finite field but it is efficient 
only if q £ Q; see definition (12. 3D . We present Algorithm 13.31 below and dis- 
cuss the details in the following sections. Note that it returns immediately 
once Algorithms 13 . 6 ( [3 . 8 1 or [37101 have returned a non-trivial factor of x r — {3. 

(R'): r which satisfies (R) and (i3~2j) . 

(Q): n, . . . , r m , e±, . . . ,e m and t such that n = r and q — 1 = r\ x ■ ■ ■ r%£t 
is the partial factorization satisfied equation (12. ip . 

Algorithm 3.3 (Find a non-trivial factor of x r — 13). The inputs are the 
ones specified in assumptions (Q), (F), (R'J and (B). This algorithm returns 
a non-trivial factor of x r — (3. 
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I: If r = 2 and /3 = 1, return x + 1. 
If r = 2 and (3 = —1, return cc + y— 1. 
Otherwise, compute p = Q r , a, primitive r-th root of unity. 

II: Find a by Algorithm 13.61 with k = rt. 

Ill: Find £ by Algorithm S3 

IV: Find k by Algorithm [3TTU1 

V: Find a non-trivial factor f{x) oi x r — /3 by Algorithm 13.141 
Return f{x). 

3.1.1 Find a such that (g a ,k{ x ), x r — /3) = 1 
For a G F g , a r 7^ /3, define a rational function 

Mx) = ^GF^). (3.3) 
a — px 

For < i < r, let 

a = iWeFj; (3.4) 

d = ordcj, (3-5) 

the order of Cj over F* . In other words, we have 

ipa(x) = Ci (mod x — p % a)\ 
ifj a (x) di = 1 (mod x - p l a). 

Instead of working with the rational function ip a directly, define polynomials, 
g k (x,y,z) = (y — x) k — z(y — px) k G ¥ q [x, y, z]; (3.6) 

def 

9a,k(x) = (jk(x,a, 1) € ¥ q [x], (3.7) 
for k > 0. We have the following lemma. 
Lemma 3.4. Let k be a positive integer. 
(1) d{ divides k for all < i < r if and only if 

g a ,k(x) = (mod x r - 13). 
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(2) There exists i, j such that di divides k but dj does not divide k if and 
only if 

is a non-trivial factor of x r — (3. 

(3) d{ does not divide k for all < i < r if and only if 

{g a ,k{x), x r - 0) = 1. 

Proof. It is straightforward. □ 

For the cases in Lemma 13.41 case (1) is not useful to our algorithm. We 
show in the lemma below that the number of possible values of a's falling into 
this case is bounded above by k. If case (2) occurs, we are done. Otherwise, 
we find an a falling into case (3) in Algorithm 13.61 

Lemma 3.5. There are at most k distinct a G ¥ q such that a r ^ j3 and 
9a,k( x ) - (modx r -/3). 

Proof. Suppose that, for 1 < i < k + 1, we have G ¥ q , a\ / /3 and 
9 ai ,k( x ) = ( mod %r ~ Then, g au k(a) = and so 4> ai { a ) k = L Since 
i^a{oc) 7^ i/Jb(ct) whenever a / it, there are k + 1 distinct elements in ¥ g 
such that the multiplicative orders of all these elements divide k. It is a 
contradiction. The lemma follows. □ 

We show Algorithm 13.61 below. Note that the p, which is computed in 
Algorithm 13.31 Step I, is used for computing g ai ,k(%) in H.2. 

(Z): p, where p = £r G ¥ q is a primitive r-th root of unity. 

Algorithm 3.6 (Find a). The inputs are the ones specified in (F), (R'), 
(B) and (Z); and k, where k > 1 is an integer. This algorithm either returns 
a non-trivial factor of x r — f3, or returns a £¥ q such that 

a r ^/3 and {g a , k (x), x r - 0) = 1. (3.8) 

II: Consider k + 1 distinct elements a±, . . . , a^+i G ¥ q . 

II. 1: If there exists i such that a\ = f3, 
return x — Oj. 
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II. 2: If there exists % such that f(x) = (g ai ,k(x), x r — (3) 
is a non-trivial factor x r — f3, 
return f(x). 

II. 3: Set a = cij for some 1 < j < k+l such that (g aj ,k(x), x r — /3) = 1. 
Return a. 

Lemma 3.7. Algorithm ic. 61 is correct. 

Proof. The algorithm is obviously correct if it returns at II. 1 or II. 2. Oth- 
erwise, there exist 1 < j < k + 1 such that (g aji k{x), x r — /?) = 1 by Lemma 
13.51 The lemma follows. □ 

3.1.2 Find t = r jo such that (g a ,h 30 0), x r - 0) = 1 

Let 

h , def Uq-l)/^- 1 , if j = 1; 
3 ](q — l)/rj 3 , otherwise. 

Algorithm 13.61 is executed with k = rt in Algorithm 13.31 Step II. Algo- 
rithm [3]8] is shown below. 

(A): a, where a S ¥ q satisfies condition (|3.8p with k = rt. 
(L): £, where I = rj for some 1 < jo < m such that 

{ga,h n (x), x" - (3) = 1. 

Algorithm 3.8 (Find I). The inputs are the ones specified in (Q), (F), 
(R 7 ), (B), (Z) and (A). This algorithm either returns a non-trivial factor of 
x r — f3, or returns an integer £ satisfying (L). 

III. 1: If there exist 1 < j < m such that f(x) = (ga,hj(x), x r — /?) 
is a non-trivial factor of x r — f3, 
return f(x). 

III. 2: Set £ = rj for some 1 < jo < m such that (g a ,h n ( x ), x r — /3) = 1. 
Return I. 

Lemma 3.9. Alaorithm \3.8\ is correct. 
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Proof. The algorithm is obviously correct if it returns at III.l. Otherwise, 
[9a,h ( x )i xT ~ p) f° r 1 — 3 ' — m are trivial factors of x r — (3. 
Suppose, for all 1 < j < m, 

9a,hj{x) = (mod / - /?). 

Then, 

*l> a (x) hl = --- = ip a (x) hm = l (mod/-/3), 

or equivalently, 

Mp'ap = 1 

for all < i < r and all 1 < j < m. Recall that di is the multiplicative 
order of ip a (p l Oi) in defined in equation (]3,5p . For all < i < r and all 
1 < j < m, we have 

di | hj. 

Since rt = gcd(/ii, . . . , h m ), we have 

di | rt. 

It is a contradiction because di does not divide rt for all < i < r by 
assumption (A) and Lemma 13.41 case (3). The lemma follows. □ 

3.1.3 Find k such that D k >(x) = x r -f3 for < k' < k and D k »(x) = 1 
for k < k" < e' 

Let 

e> ^ I 61 " 1 ' ' lU = r : (3.9) 
lej , otherwise. 

Define polynomials 

= (g a ,( q -i)/ei(x), x r -p) e¥ q [x] (3.10) 
for < i < e' . By Lemma 13.41 case (1) with k = q — 1, 

D (x) = x r -fi 

and, by assumption (L), 

D e ,(x) = 1. 
We show Algorithm 13. 101 below. 
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(K): k such that, for all < k' < k and all k < k" < e' 



D k ,(x) = x r -(3 



and 



D k ,,(x) = 1. 



Algorithm 3.10 (Find ko). The inputs are the ones specified in (Q), (F), 
(R'), (B), (Z), (A) and (L). This algorithm either returns a non-trivial 
factor of x r — f3, or returns an integer ko satisfying (K). 

IV. 1: Compute D k (x) by definition (fXTU]) for all < k < e'. 

IV.2: If there exist < k < e' 

such that -Dfc(x) is a non-trivial factor of x r — f3, 
return D k (x). 

IV. 3: Set ko to be the largest k such that D k (x) = x r — j3. 
Return ko. 

Lemma 3.11. Algorithm \3.10\ is correct. 

Proof. The algorithm is obviously correct if it returns at IV.2. Suppose 
all -Dfc(x) are trivial factors of x r — (3. By Lemma 13.121 below, there exists 
< &o < e! satisfying (K). The lemma follows. □ 



Lemma 3.12. If Di(x) = x r — [5 for some < i < e' , then Dy{x) = x r — j3 
for all < k' < i. 



3.1.4 Split x r - (3 

Equipped with conditions (A), (L) and (K), we are ready to split x r — j3. 
Below is the key lemma. 

Lemma 3.13. Let N > 1 be a prime power such that N ^ r. Let D be a 

positive integer. Suppose, for < i < r, 



for some integer n,- L S (Z/NZ) X , where a £ F q such that a r ^ f3, and Cn is 
a primitive N-th root of unity. There exist i and j such that 



Proof. It follows from the case (1) of Lemma 13.41 



□ 



D 



SAT 



Hi / Uj. 
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Proof. Suppose 

no = • • • = n r -i = n 
for some integer n with (n, N) = 1. Let C = Cn- We nave 

^(a) D = Mpaf = ■■■ = = C, 

which is equivalent to 

g D (a,a,() = 9D{pa,a,() = ■■■ = g D (p r ~ 1 a,a,C) = 0. 
By definition (j3.6|) . 

gD{p l a,a,C) = (a - p l a) D - ((a - p l+1 a) D . 

Then, 

r-l 

(a-a) D (l-C r ) = ^CV;o(pVa,C) = 0. 

i=0 

Thus, C = 1 since a / a. It is a contradiction because N does not divide 
r. The lemma follows. □ 



We show Algorithm 13.141 below. Define 



, def 

a = 



' (q-l)/£ ko+2 , ii£ = r; 
(q — l)/£ ko+1 , otherwise. 



Algorithm 3.14 (Split x r — (3). The inputs are the ones specified in (Q), 
(F), (R'), (B), (Z), (A), (L) and (K). In addition, assume r / 2 when 
(3 r = 1. This algorithm returns a non-trivial factor of x r — (3. 

V.l: C&se£^r: 

V.l.l: Compute Q, a primitive £-th root of unity. 

V.1.2: For each < n < £, 

compute f n (x) = (g d (x,a,Q), x r - 0), 

return f n {x) if f n (x) is a non-trivial factor of x r — f3. 

V.2: Case £ = r and /3 r / 1: 

V.2.1: Compute £ r 2, a primitive r 2 -th root of unity, recursively. In other 
words, use Algorithm 13.11 and Algorithm 13.31 with (3 = Q r . 
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V.2.2: For each n G (Z/r 2 Z) x , 

compute f n (x) = (g d (x, a, x r - /?), 

return f n (x) if f n (x) is a non-trivial factor of rE r — /?. 

V.3: Case £ = r / 2 and (3 r = 1: 

V.3.1: For each n G (Z/r 2 Z) x , 

compute f n (x) = (g d (x,a,x n ), x r - (3), 

return f n (x) if f n (x) is a non-trivial factor of x r — (3. 

Lemma 3.15. Algorithm \3.14\ Step V.l is correct. 

Proof. Recall that is defined in equation (|3.5p . For all < i < r, we have 

cij | id and dj f d 
by assumption (K). Since F x is cyclic, 

def 

for some < rii < £. Let g n {x) = gd{x,a,Q>) G Then, 

9n (x) = (mod x - q). 
By Lemma |3. 131 with N = £ and D = d, there exists < j < r such that 

flVio^) ^ (modi-p'a). 

Therefore, (<7 no (x), x r — /3) is a non-trivial factor of x r — f3. The remaining 
question is how to find no? It is not required. For < n < £, compute 

(g n (x), x r -13) 

in order to find a non-trivial factor of x r — f3. The lemma follows. □ 

Lemma 3.16. Algorithm \3. 14\ Step V.2 is correct. 

Proof. Similar to the proof of the previous lemma, for all < i < r, 

di | r 2 d and d{ \ rd 
by assumption (K). We have 

Mp l a) d = Q 
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for some rii £ (Z/r 2 Z) x . Let g n (x) = gd{x,a,C^ 2 ) £ F g [x]. Then, 

SWO^) = (modx-a); 
5 no (x) ^ (modx-^a) 

for some < j < r by Lemma 13.131 with N = r 2 and D = d. For each 
n G (Z/r 2 Z) x , compute 

to find a non-trivial factor of x r — (3. The lemma follows. □ 

In the case I = r, a primitive r 2 -th root of unity, £ r 2, is required. In- 
terestingly, Q r 2 can be computed recursively — by taking r-th root of p, or 
equivalently, by finding a non-trivial factor of x r — p. Execute Algorithm l3.3l 
with f3 = p and denote the output of Step III by £' . If I' 7^ r, we proceed 
with Step V.l. Otherwise, we have £' = r. Then, 

Mz,a,C r "), x r -p) (3.11) 

is a non-trivial factor of x r — p for some n. Nevertheless, the gcd cannot be 
computed directly because Cr 2 is n °t available. The idea is to replace Cr 2 
with x. In other words, use gd(x,a,x n ), instead of gd{x,a,C^ 2 )-, hi (|3. 11 [) . 
This idea does not work for the case I = r = 2 and /3 r = 1, which is handled 
separately in Step I. We have the following lemma. 

Lemma 3.17. Suppose r is an odd prime. If 

gd(x,a,x n ) = (modx — Cr 2 ) 

for some n £ (Z/r 2 Z) x , there exists < i < r such that 

gd(x,a,x n ) ^ (mod x — p z C r 2 )- 

Proof. Let C = Cr 2 • Suppose 

g d (x,a,x n ) = (modx-pX) 

for all < i < r. Then, 

9d{(, a, C n ) = 9d{p(, a, (p() n ) = ■■■= g^p^C, a, (p^CT) = 0. 

Let 

fc-i 

Sk d ^ J^i = k(k -l)/2. 

i=0 
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Note that r divides s r . By definition (|3.6p . 

9d{pX,a, ( P X) n ) = (a- P X) d -p in C(a-p t+l C) d . 

Then, 

r-l 

o = Y,p Sin ^ n 94px,a,(pxr) 

i=0 

= (a-() d (l- p Srn ( rn ) 
= (a-C) d (l-C n )- 

Since a / (, we have Q rn = 1. It is a contradiction. The lemma follows. □ 

Lemma 3.18. Algorithm \3. 14\ Step V.3 is correct. 

Proof. Suppose, for < i < r, 

MpXr*) d = O 

for some integer n, G (Z/r 2 Z) x . Let g n (a;) == gd{x, a, x n ) € Fjx]. Consider 
the polynomial <7 no (x). We have 

5 no (x) = (mod x - <>); 
5„ (x) ^ (mod x - /^Cr 2 ) 

for some < j < r by Lemma 13.171 For each n £ (Z/r 2 Z) x , compute 

(>0), a; r - p) 

to find a non-trivial factor of x r — p. The lemma follows. □ 
3.2 Running Time Analysis 

We analyze the running time of Algorithms 13.11 and 13.31 below. 
Lemma 3.19. Algorithm \3. 1\ runs in 

0(log r log q) 

bit operations. 

Proof. The Euclidean algorithm can be executed in O(logr) and the last 
step can be evaluated in O(logrlogg). The lemma follows. □ 
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In Algorithm 13.31 a common operation is to compute 

(g k {x,y,z n ), x r - p) 

for some fixed k > 0, some fixed iV and all 1 < n < N, where y G ¥ q and 
z G Fg U {x}. We show the required running time below and then show the 
running time of Algorithm 13.31 

Lemma 3.20. Let k and N be positive integers. Given y G ¥ q , z G F g U{a;} 
and p, it takes 

0((logk + N)r log q) 
bit operations to compute (gk(x,y,z n ), x r — m for all 1 < n < N . 

Proof. For any a, b G F q , the power-modulo (a — bx) k (mod x r — /3) can be 
computed in 0(r log k log q). Let 

fi{x) d = {y-xf (mod /-/?); 

f2{x) = f (y — px) k (mod x r — 

By equation (13. 6j) . 

g k (x,y,z n ) = f 1 {x)-z n f 2 {x) (mod x r -/5). 

Once /i and f 2 are obtained, the GCDs (gk{x, y, z n ), x r — /3) for 1 < n < N 
can be computed incrementally using O (Nr log q). The lemma follows. □ 

Recall that r\ = r by assumption (Q) and z% is defined in equation (I2.2p . 

Lemma 3.21. Alaorithm \3.3\ is correct and runs in 

O (Z max + (r (r + t) + r max + m log q) r log g) (3.12) 

bit operations, where 

r-max = max(ri, . . . ,r m ), 

max(Z 2l ,...,Z Zm ), 

where Z n is the time required for constructing a primitive n-th root of unity 
over ¥ q . 
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Proof. If it returns at Step I, the algorithm is obviously correct. Otherwise, 
the correctness follows from Lemmas 13. 7| 13.91 13. 11\ \3.15\ 13.161 and 13.181 
We show the running time as follows. Clearly, Step I requires 



G(Z Z1 ). 

For each a^, the running times are O(logrlogg) in II. 1 and 0(r log k log q) 
in II. 2 and II. 3. Step II requires 

0(kr log q) = 0(r 2 tlogq) 

since there are k + 1 elements and k = rt. Step III requires 

0(mr log 2 q). 

By first computing D e /(x) in 0(r log 2 q), then using the intermediate results 
to compute D e i_i(x) in 0(r log £ log q) and so on, Step IV requires 

0{r log £ log 2 q). 

Suppose £ ^ r or f3 r = 1 in Step V for the following. We are either in V.l 
or V.3. V.l.l requires to compute Ct- By Lemma \'S .201 V.l. 2 and V.3.1 
can be done in 0((logg + £)r logg) and 0((logq + r 2 )r log g), respectively. 
Step V without V.2 takes 

0(Z £ + (r 2 + ^ + logg)rlogg). 

The overall running time of the algorithm in this case is (|3,12p . 

Suppose £ = r ^ 2 and (3 r ^ 1. Everything remains the same except that 
we are in V.2. By Lemma [3 . 1 9 1 and above, the recursive call in V.2.1 requires 
(|3.12p . V.2. 2, which is similar to V.3.1, requires 0((logq + r 2 )r log q). The 
overall running time of the algorithm in this case is also (|3.12|) . 

The lemma follows □ 

By the running time in f|3. 12|) , Algorithm 13.31 is efficient only if t and all 
the prime factors of q — 1 are small and, for all 1 < % < m, a primitive root 
Zj-th of unity can be constructed efficiently over ¥ q . 

Proof of Theorem \2.S[ If r 2 \ {q — 1), taking r-th roots over ¥ q can be easily 
done in polynomial-time. Otherwise, r 2 | (q — 1). Since q G Q, we have 

t + 1 max 

+ Z max = 0(poly(logg)). 

Taking r-th roots for any r-th residue over ¥ q can be done in polynomial- 
time by Lemmas 13.191 and 13.211 

For constructing an r-th nonresidue G ¥ q , we begin with £ r , compute 
( r 2 = {/Cr, then compute ( r 3 = {fC^i and so on. The theorem follows. □ 
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Proof of Theorem \2.3[ For any g € Si, for each i, an r^-th nonresidue 
C e i £ can be computed in deterministic polynomial by Theorem l2.2i The 

i 

product I12=i C r e i is a primitive element over ¥ q . The theorem follows. □ 

We show an interesting special case below. 

Theorem 3.22. Let q = r e t + 1 be a prime power for r prime, e > 1, t > 1 
and (r,t) = 1. There is a deterministic algorithm, which runs in 

0((r(r + t) + log g)r log q) 

bit operations for taking r-th root over ¥ g . 

Further, there is a deterministic algorithm, which runs in 

0((r(r + t) + log q)r log 2 q) 

bit operations for constructing an r-th nonresidue over ¥ q . 

Proof. Firstly, find a primitive r-th root of unity, Q r , by [201 Alg. 5.9] in 
0((t + logg) \ogq). Then, use Algorithms 13.11 and 13.31 to compute an r- 
th root in O(logrlogg) and 0((r(r + t) + \ogq)r\ogq), respectively. For 
constructing an r-th nonresidue, it requires taking 0(logq) r-th roots. The 
theorem follows. □ 



4 Primality Testing 

Let N be a generalized Proth number defined in Definition 12.41 Consider 
the problem of deciding the primality of N. In [19], a deterministic primal- 
ity test is created from a deterministic square root algorithm and Proth's 
theorem; see [26j for the details of Proth's theorem. The idea is generalized 
- we design a deterministic primality test using the deterministic r-th root 
algorithm presented in $3] and a generalized Proth's theorem (Theorem 14.21 
below). This generalization of Proth's theorem is well known. The idea of 
our primality test is similar to Pocklington-Lehmer primality test; see [251 
§7.2]. Theorem 12.51 is proved in the following. 

Proof of Theorem \2.b\ If N is prime, an r-th nonresidue Cr e G TLjNTL can be 
constructed in 

6((r(r + t)+ log AQr lo g 2 N ) 

by Theorem 13.221 If N is composite, Q r e Z/AZ by Theorem 14.21 below. 
Since all algorithms, including Algorithm 5.9 in [20], Algorithms 13.11 and 13.31 
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in the previous section, are deterministic, the primality of N can be decided 
by trying constructing an r-th nonresidue over the integer ring Z/iVZ using 
these algorithms. The theorem follows. □ 

For N = r e t + 1 with r a small constant and t = O(logiV), the running 
time of our primality test is 

0(log 3 N). 

It is faster than all known deterministic tests. The running time of the AKS 
test [2] and Lenstra-Pomerance's modified AKS test [UJ are 0(log 7 ' 5 iV) 
and (5(log 6 N), respectively. Assuming the Extended Riemann Hypothesis, 
Miller's test [16] is deterministic with running time 0(log 4 iV). 

We will use the following lemma to prove Theorem 14.21 Denote Euler's 
function by (ft( ■ ). 

Lemma 4.1. Let n = £ k be a prime power for some prime £ and k > 1. Let 
r e be a prime power with r / i. If 

r e | (j)(n) and r e > yn, 

then k = 1 and n is a prime. 

Proof. We have 

(j)(n) = (i-l)^- 1 . 
Then, r e divides [t — 1) and so £ > r e . If k > 1, then 

4>(n) >{£- l)£ > r 2e > n, 
which is a contradiction. Thus, k = 1 and n is a prime. □ 

Theorem 4.2. (Generalized Proth's Theorem) Let N = r e t + 1 be 

a generalized Proth number defined in Definition \2.4\ for prime r, positive 
integers e and t such that r e > t. If 

a N - x = 1 (mod N) and a (7V ~ 1)/r ^ 1 (mod N), (4.1) 

for some integer a, then N is a prime. 
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Proof. It is easy to see that, for any generalized Proth number, 

r e > \ r N. 

Suppose there exists an integer a satisfying equations (|4.ip . Let d d = ord^ a 
be the order of a in (Z/iVZ) x . Then, r e divides d and so 

r e | (j)(N). 

If N = £ k for some prime £ and k > 1, then iV is a prime by Lemma 14.11 

Suppose N = l-y • • • £ k ^ for m > 1, some distinct primes £±, . . . ,£ m and 
some integers 

h, ■ ■ ■ , k m > 1. Let 6 == a d / re (mod JV). Then, 
ord^ b = r e . 

Let <ij be the order of b in (Z/^Z) X . Since 

6 re = 1 (mod^ 1 ) 

for all 1 < z < m, 

d{ d = ord fc, 6 = r s * 

for some < s, < e. Without loss of generality, assume s\ > s, for all 
1 < % < m. Then, 

b dl = 1 (mod^ 1 ) 

for all 1 < i < m. By the Chinese Remainder Theorem, 

b dl = 1 (mod N). 

Therefore, r e divides both d\ and (p(£ kl ). By Lemma 14.11 with n = £ kl , we 
have k± = 1. Write 

£ 1 = r e h + 1 and N/l x = r e °t + 1 

with (r,to) = 1. Since £x{N/£ x ) = N = r e t + 1, we have 

i = io^r 60 + ti + t(yr eo ~ e - 

Then, eo > e, otherwise, t is not an integer. However, 

N = £i(N/£i) > r e+eo > r 2e > N. 

which is a contradiction. The theorem follows. □ 
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5 Solving Polynomial Equations 



Let F q be the finite field of q elements. Let f(x) G ¥ q [x] be a polynomial. 
In this section, we consider the problem of solving the polynomial equation 

m = o, 

over Wq. By (jl.ip and f)1.2|) in <JTJ we may assume / is a product of distinct 
linear factors. Without loss of generality, assume deg/ > 1 and /(0) 7^ 0. 
When the prime factors of q— 1 are small, the problem of solving polynomial 
equations over ¥ q is polynomial-time reducible to the problem of taking r-th 
roots over ¥ q for all prime factors r of q — 1. 

The idea is simple: suppose /(x) is a divisor of x d — a for some integer 
divisor d of g — 1 and some d-th residue a G F 9 with 

ord(a) = (q-l)/d. 

Let £ be a prime factor of ci and ^ G F g be a primitive -£-th root of unity. 
For < i < £, let 

ht(x) = x d/£ -C £ a 1/e G ¥ q [x}; 
9i(x) = (f{x), hi(x)) G ¥ q [x]. 

We have 

t-x 

x d -a = Y]_hi(x); 

i=0 

e-i 

fix) = H 9i (x). 

8=0 

If gi is a non-trivial factor of / for some < i < £, we are done (or keep 
factoring until the complete factorization of / is obtained.) Otherwise, / is 
a divisor of hi for some < iq < £. Repeat the process with d' = d/t and 
a' = Qa 1 ^. Initially, f(x) is a divisor or x q ~ l — 1, i.e. a = 1 and d = q — 1. 
We show a deterministic algorithm to find a non-trivial factor of / below. 

Algorithm 5.1 (Factoring products of linear polynomials). The inputs are 
the prime factorization q — 1 = r\ x ■ ■ • r^ 71 and a polynomial fix) G ¥ q [x] 
such that /(0) 7^ and fix) is a product of two or more distinct monic 
linear polynomials. This algorithm returns a non-trivial factor of f . 
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I: Set a = 1 and d = q — 1. 
Compute £ rj for 1 < j < m. 

II: For each 1 < j < m: 

II. 1: For each 1 < k < ef 

II. 1.1: Compute b £¥ q such that b Vj = a using some algorithm. 
II.1.2: Compute gi(x) = (f(x), x d/r > - Q.b) for all < i < r> 
II. 1.3: If gi is a non-trivial factor of / for some < i < rj, 
return gi. 

Otherwise, set io = i such that gi = f. 
II.1.4: Set a = Q°b and d = d/rj. 

Lemma 5.2. Alaorithm \5.1\ is correct. 

Proof. Clearly, the loops maintain an invariant that a is an r^-th residue 
over F q at II. 1.1. Thus, the rj-th roots of a are in ¥ q . 

We show by induction that f(x) \ (x d — a) is an invariant at II. 1.1. When 
j = k = 1, we have a = 1 and d = q — 1. By the input assumption, f(x) 
divides x q ~ l — 1. Let Oj ,fc and dj ^ Q be the values of a and d at II. 1.1 when 
j = jo and k = k$. Suppose f(x) divides x dj O' k o — aj 0j k . Let 

hjo,k ( x ) = x dj °' k ° /rj ° -C jo b jo , ko G F,[x]; 
ftJcfco^) = f (/(^)> h i,3o,ko(. x )) e F <?M- 

Then, 

'•jo- 1 

i=0 

f(x) = ]J gi,j ,k ( x )- 

If there exists a non-trivial factor of /, done. Otherwise, there exists a 
unique «o such that gi = f. Denote the pair of j, k following jo, ko by j±, ki. 
When j = ji and k = ki, we have 

o ^ji,ki ^r°jbjo,ko and <i dji,ki djo,ko/ r jo 
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at II. 1.1. By the definition of gi , f(x) divides x d — a. 

As a consequence, f(x) divides x d — a right after II. 1.4. The algorithm 
eventually returns a non-trivial factor of / at II. 1.3. Otherwise, for j = m 
and k = e m , we have d = 1 right after II. 1.4. Then, f(x) divides a linear 
polynomial. It is a contradiction. The lemma follows. □ 

Lemma 5.3. Algorithm \5.1\ runs in 

0((^max "I" Rm&x ~\~ ('"max + log q) deg / log q) log q) 

bit operations, where 

def , v 

r max = max(n, . . . ,r m ), 
2mm = max(Z ri , . . . , Z r . m ), 

-Rmax = max(i? ri , . . . , Rr m ) j 

where Z n and R n are respectively the time required for constructing a prim- 
itive n-th root of unity and computing an n-th root over ¥ q . 

Proof. Obviously, Step I requires 

0(mZ max ). 

II. 1.1 requires 0(R Tj ). In II. 1.2, first compute h(x) == x d l r i mod f(x) us- 
ing 0(deg/log 2 q) and then compute (f(x), h(x) — C^b) for < i < re- 
using 0(rj deg / log q). The time required for II. 1.3 and II. 1.4 are clearly 
dominated by II. 1.2. Since there are at most 

m 

ej = 0(log q) 

iterations, Step II requires 

0((-Rmax + Omax + log q) deg / log q) log q). 

The lemma follows. □ 

Lemma 5.4. Let ¥ q be a finite field of q elements. For every prime factor r 
of q— 1, suppose r = 0(poly(log q)) and there are deterministic polynomial- 
time algorithms for constructing r-th primitive root of unity and computing 
r-th roots over¥ q . Then, there is a deterministic polynomial-time algorithm 
solving any polynomial equation over¥ q . 
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Proof. Without loss of generality, assume the input polynomial f{x) G F q [x] 
is a product of two or more distinct monic linear polynomials and /(0) 7^ 0. 
The complete factorization of / can be computed in polynomial-time using 
Algorithm 15.11 repeatedly. The overall running time is O (poly (deg / log q)) 
by Lemma I5T31 Since the input size is 0(deg / log q), it is a polynomial-time 
algorithm. The lemma follows. 

□ 

Proof of Theorem \2.b\ Since q £ Qi, the theorem is an obvious consequence 
of Theorem 12.21 and Lemma 15.41 □ 



6 The Elliptic Curve "n-th Root" Problem 

Let F q be a finite field with q elements. For simplicity, assume the charac- 
teristic of F q is neither 2 nor 3. Denote an elliptic curve E over F q by the 
Weierstrass equation 

E : y 2 = x 3 + a^x + <i6 

for some 04, a% G Fq. In the following, we study the elliptic curve "n-th root" 
described in Problems (El) and (E2) will be reduced to the problem of 
solving polynomial equations. 

It is well known that multiplication by n over E is an endomorphism, 

fUt(x) U 2 (x) 



v x { x y y v 2 ( x ) 

for some polynomials U\{x), Vi(x), U 2 (x), V 2 {x) G F q [x] such that 
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degUi = n 
deg Vi < n 2 — 1 , 
(£/i,Vi) = (U 2 ,V 2 ) = 1. 

All polynomials U\, Vi, U 2 and V 2 can be computed in polynomial-time; see 
|25j for the details. 

Suppose Q 7^ 00. We have Q = (a, b) for some a, b G F g . If Q = n(xo, yo) 
for some xq, yo G F 9 , then xq is a solution of 

f{x) = Ui(x)-aV 1 (x)=0 
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over F q . Suppose a\, . . . , a& G F q are the roots of equation f(x) = 0. Let 

9i{y) = f y 2 - (a? + a^ai + a 6 ); (6.1) 
hi(y) = yU 2 (a i )-bV 2 (a i ); (6.2) 
P = {(m,(3)€F 2 g : 5i (/3) = and h, t ((3) = 0} . (6.3) 

The set P is the complete set of solutions of equation (jl.3p . For (El), 
equation (jl.3p has a solution if and only if P is non-empty. For (E2), any 
point P £ P is a solution of equation (jl.3p . 

Suppose Q = oo. Denote a fixed algebraic closure of F g by F q . Let 

(F q ) = E[n]nE(Fq), 
where E[n] denotes the re-torsion subgroup of ^(F^). Then 

PeE[n]{F q ) 

if P is a solution of equation (jl.3p . Let a 1; . . . , otk G F g be the roots of the 
equation V\{x) = and 

P' = {{<Xi,P)i<i<k ■ 9i(P) = 0}, 

where gi is defined in equation (|6.ip . Problems (El) and (E2) can be solved 
similar to before. 

Proof of Theorem \2. T\ By the discussion above, the sets P and P' can be 
computed by solving a few polynomial equations over F q . When q £ Qi, 
a degree d polynomial equation can be solved in 0(poly(cilog q)) by The- 
orem [213 Since n = 0(poly(log q)), the degrees of all polynomials in the 
discussion above are also O (poly (log q)). The theorem follows. □ 

Note that the running time of the elliptic curve re-th root algorithm 
depends mostly on the finite field F q but not the curve. Once polynomial 
equations can be solved efficiently over F q , elliptic curve n-th roots can be 
computed efficiently for any curve. Also, the number of points of E(F q ) is 
not required in the algorithm. 
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